blob: 0232b569470116dcdbaccdd95f43ebed91ee4bae [file] [log] [blame]
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +01001/*
2 * User authentication & authorization
3 *
4 * Copyright 2010 Krzysztof Piotr Oledzki <ole@ans.pl>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
12
Willy Tarreaue5733232019-05-22 19:24:06 +020013#ifdef USE_LIBCRYPT
Willy Tarreau890a33e2010-03-04 19:10:14 +010014/* This is to have crypt() defined on Linux */
15#define _GNU_SOURCE
16
Willy Tarreaue5733232019-05-22 19:24:06 +020017#ifdef USE_CRYPT_H
Willy Tarreau890a33e2010-03-04 19:10:14 +010018/* some platforms such as Solaris need this */
19#include <crypt.h>
20#endif
Willy Tarreaue5733232019-05-22 19:24:06 +020021#endif /* USE_LIBCRYPT */
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010022
23#include <stdio.h>
24#include <stdlib.h>
25#include <string.h>
26#include <unistd.h>
27
Willy Tarreaue8692b42016-12-21 19:36:25 +010028#include <types/global.h>
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010029#include <common/config.h>
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010030#include <common/errors.h>
Willy Tarreau34d4b522018-10-29 18:02:54 +010031#include <common/hathreads.h>
Willy Tarreau80713382018-11-26 10:19:54 +010032#include <common/initcall.h>
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010033
34#include <proto/acl.h>
35#include <proto/log.h>
36
37#include <types/auth.h>
Thierry FOURNIERa65b3432013-11-28 18:22:00 +010038#include <types/pattern.h>
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010039
40struct userlist *userlist = NULL; /* list of all existing userlists */
41
Willy Tarreaue5733232019-05-22 19:24:06 +020042#ifdef USE_LIBCRYPT
Willy Tarreau943e7ec2018-10-29 19:16:27 +010043#ifdef HA_HAVE_CRYPT_R
44/* context for crypt_r() */
45static THREAD_LOCAL struct crypt_data crypt_data = { .initialized = 0 };
46#else
47/* lock for crypt() */
Willy Tarreau34d4b522018-10-29 18:02:54 +010048__decl_hathreads(static HA_SPINLOCK_T auth_lock);
49#endif
Willy Tarreau943e7ec2018-10-29 19:16:27 +010050#endif
Willy Tarreau34d4b522018-10-29 18:02:54 +010051
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010052/* find targets for selected gropus. The function returns pointer to
53 * the userlist struct ot NULL if name is NULL/empty or unresolvable.
54 */
55
56struct userlist *
57auth_find_userlist(char *name)
58{
59 struct userlist *l;
60
61 if (!name || !*name)
62 return NULL;
63
64 for (l = userlist; l; l = l->next)
65 if (!strcmp(l->name, name))
66 return l;
67
68 return NULL;
69}
70
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010071int check_group(struct userlist *ul, char *name)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010072{
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010073 struct auth_groups *ag;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010074
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010075 for (ag = ul->groups; ag; ag = ag->next)
76 if (strcmp(name, ag->name) == 0)
77 return 1;
78 return 0;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010079}
80
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010081void
82userlist_free(struct userlist *ul)
83{
84 struct userlist *tul;
85 struct auth_users *au, *tau;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010086 struct auth_groups_list *agl, *tagl;
87 struct auth_groups *ag, *tag;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010088
89 while (ul) {
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010090 /* Free users. */
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +010091 au = ul->users;
92 while (au) {
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010093 /* Free groups that own current user. */
94 agl = au->u.groups;
95 while (agl) {
96 tagl = agl;
97 agl = agl->next;
98 free(tagl);
99 }
100
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100101 tau = au;
102 au = au->next;
103 free(tau->user);
104 free(tau->pass);
105 free(tau);
106 }
107
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100108 /* Free grouplist. */
109 ag = ul->groups;
110 while (ag) {
111 tag = ag;
112 ag = ag->next;
113 free(tag->name);
114 free(tag);
115 }
116
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100117 tul = ul;
118 ul = ul->next;
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100119 free(tul->name);
120 free(tul);
121 };
122}
123
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100124int userlist_postinit()
125{
126 struct userlist *curuserlist = NULL;
127
128 /* Resolve usernames and groupnames. */
129 for (curuserlist = userlist; curuserlist; curuserlist = curuserlist->next) {
130 struct auth_groups *ag;
131 struct auth_users *curuser;
132 struct auth_groups_list *grl;
133
134 for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
135 char *group = NULL;
136 struct auth_groups_list *groups = NULL;
137
138 if (!curuser->u.groups_names)
139 continue;
140
141 while ((group = strtok(group?NULL:curuser->u.groups_names, ","))) {
142 for (ag = curuserlist->groups; ag; ag = ag->next) {
143 if (!strcmp(ag->name, group))
144 break;
145 }
146
147 if (!ag) {
Christopher Faulet767a84b2017-11-24 16:50:31 +0100148 ha_alert("userlist '%s': no such group '%s' specified in user '%s'\n",
149 curuserlist->name, group, curuser->user);
Dirkjan Bussink07fcaaa2014-04-28 22:57:16 +0000150 free(groups);
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100151 return ERR_ALERT | ERR_FATAL;
152 }
153
154 /* Add this group at the group userlist. */
155 grl = calloc(1, sizeof(*grl));
156 if (!grl) {
Christopher Faulet767a84b2017-11-24 16:50:31 +0100157 ha_alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
158 curuserlist->name);
Dirkjan Bussink07fcaaa2014-04-28 22:57:16 +0000159 free(groups);
160 return ERR_ALERT | ERR_FATAL;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100161 }
162
163 grl->group = ag;
164 grl->next = groups;
165 groups = grl;
166 }
167
168 free(curuser->u.groups);
169 curuser->u.groups = groups;
170 }
171
172 for (ag = curuserlist->groups; ag; ag = ag->next) {
173 char *user = NULL;
174
175 if (!ag->groupusers)
176 continue;
177
178 while ((user = strtok(user?NULL:ag->groupusers, ","))) {
179 for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
180 if (!strcmp(curuser->user, user))
181 break;
182 }
183
184 if (!curuser) {
Christopher Faulet767a84b2017-11-24 16:50:31 +0100185 ha_alert("userlist '%s': no such user '%s' specified in group '%s'\n",
186 curuserlist->name, user, ag->name);
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100187 return ERR_ALERT | ERR_FATAL;
188 }
189
190 /* Add this group at the group userlist. */
191 grl = calloc(1, sizeof(*grl));
192 if (!grl) {
Christopher Faulet767a84b2017-11-24 16:50:31 +0100193 ha_alert("userlist '%s': no more memory when trying to allocate the user groups.\n",
194 curuserlist->name);
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100195 return ERR_ALERT | ERR_FATAL;
196 }
197
198 grl->group = ag;
199 grl->next = curuser->u.groups;
200 curuser->u.groups = grl;
201 }
202
203 free(ag->groupusers);
204 ag->groupusers = NULL;
205 }
206
207#ifdef DEBUG_AUTH
208 for (ag = curuserlist->groups; ag; ag = ag->next) {
209 struct auth_groups_list *agl;
210
211 fprintf(stderr, "group %s, id %p, users:", ag->name, ag);
212 for (curuser = curuserlist->users; curuser; curuser = curuser->next) {
213 for (agl = curuser->u.groups; agl; agl = agl->next) {
214 if (agl->group == ag)
215 fprintf(stderr, " %s", curuser->user);
216 }
217 }
218 fprintf(stderr, "\n");
219 }
220#endif
221 }
222
223 return ERR_NONE;
224}
225
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100226/*
227 * Authenticate and authorize user; return 1 if OK, 0 if case of error.
228 */
229int
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100230check_user(struct userlist *ul, const char *user, const char *pass)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100231{
232
233 struct auth_users *u;
CJ Ess6eac32e2015-05-02 16:35:24 -0400234#ifdef DEBUG_AUTH
235 struct auth_groups_list *agl;
236#endif
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100237 const char *ep;
238
239#ifdef DEBUG_AUTH
CJ Ess6eac32e2015-05-02 16:35:24 -0400240 fprintf(stderr, "req: userlist=%s, user=%s, pass=%s\n",
241 ul->name, user, pass);
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100242#endif
243
244 for (u = ul->users; u; u = u->next)
245 if (!strcmp(user, u->user))
246 break;
247
248 if (!u)
249 return 0;
250
251#ifdef DEBUG_AUTH
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100252 fprintf(stderr, "cfg: user=%s, pass=%s, flags=%X, groups=",
253 u->user, u->pass, u->flags);
254 for (agl = u->u.groups; agl; agl = agl->next)
255 fprintf(stderr, " %s", agl->group->name);
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100256#endif
257
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100258 if (!(u->flags & AU_O_INSECURE)) {
Willy Tarreaue5733232019-05-22 19:24:06 +0200259#ifdef USE_LIBCRYPT
Willy Tarreau943e7ec2018-10-29 19:16:27 +0100260#ifdef HA_HAVE_CRYPT_R
261 ep = crypt_r(pass, u->pass, &crypt_data);
262#else
Willy Tarreau34d4b522018-10-29 18:02:54 +0100263 HA_SPIN_LOCK(AUTH_LOCK, &auth_lock);
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100264 ep = crypt(pass, u->pass);
Willy Tarreau34d4b522018-10-29 18:02:54 +0100265 HA_SPIN_UNLOCK(AUTH_LOCK, &auth_lock);
Willy Tarreau943e7ec2018-10-29 19:16:27 +0100266#endif
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100267#else
268 return 0;
269#endif
270 } else
271 ep = pass;
272
273#ifdef DEBUG_AUTH
274 fprintf(stderr, ", crypt=%s\n", ep);
275#endif
276
Cyril Bontéc82279c2014-08-29 20:20:01 +0200277 if (ep && strcmp(ep, u->pass) == 0)
Krzysztof Piotr Oledzki96105042010-01-29 17:50:44 +0100278 return 1;
279 else
280 return 0;
281}
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100282
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100283struct pattern *
284pat_match_auth(struct sample *smp, struct pattern_expr *expr, int fill)
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100285{
Willy Tarreau37406352012-04-23 16:16:37 +0200286 struct userlist *ul = smp->ctx.a[0];
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100287 struct pattern_list *lst;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100288 struct auth_users *u;
289 struct auth_groups_list *agl;
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100290 struct pattern *pattern;
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100291
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100292 /* Check if the userlist is present in the context data. */
293 if (!ul)
Willy Tarreau86e0fc12014-04-29 19:52:16 +0200294 return NULL;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100295
296 /* Browse the userlist for searching user. */
297 for (u = ul->users; u; u = u->next) {
Willy Tarreau843b7cb2018-07-13 10:54:26 +0200298 if (strcmp(smp->data.u.str.area, u->user) == 0)
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100299 break;
300 }
301 if (!u)
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100302 return NULL;
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100303
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100304 /* Browse each pattern. */
305 list_for_each_entry(lst, &expr->patterns, list) {
306 pattern = &lst->pat;
307
308 /* Browse each group for searching group name that match the pattern. */
309 for (agl = u->u.groups; agl; agl = agl->next) {
310 if (strcmp(agl->group->name, pattern->ptr.str) == 0)
311 return pattern;
312 }
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +0100313 }
Thierry FOURNIER5338eea2013-12-16 14:22:13 +0100314 return NULL;
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100315}
Willy Tarreaue8692b42016-12-21 19:36:25 +0100316
Willy Tarreau80713382018-11-26 10:19:54 +0100317REGISTER_BUILD_OPTS("Encrypted password support via crypt(3): yes");